@anarion @nixCraft @rvstaveren @WPalant I woke up this morning with the idea to graph the timestamps from the full headers of Jia Tan's emails to the xz-devel mailing list, since that would provide mail server timestamps that couldn't be shifted on the client side, but I can't figure out a way to get mail-archive.com to show full email headers. :(
@clawsoon
- 0 Followers
- 0 Following
- 19 Posts
@rvstaveren @anarion @nixCraft Yep, very creepy. Somewhere there's a file of OSS maintainers with a column for exploitable mental health vulnerabilities.
@WPalant The easiest way to get a believable distribution would've been to set both their timezone and their system time to something arbitrary, though as you point out simply setting the timezone seems most likely.
Would Github have recorded any guaranteed-actual-time-things-happened info on their servers?
@anarion @nixCraft @rvstaveren The wildest possible interpretation: Jia Tan actually is Chinese and working in China, but they worked the night shift in order to pretend to be a European pretending to be a Chinese person. /jk
If there is DST, I'd expect the first commits of the day to jump an hour away from 12 noon UTC, but I'm not seeing that. The end-of-day signal seems weaker overall than the start-of-day signal, so it's hard to draw conclusions.
@anarion @nixCraft @rvstaveren And I'm increasingly unsure about my US East Coast interpretation the more I look at it, lol.
@WPalant With DST, though... in @rvstaveren's graph, it doesn't look like there's any shift in their day for a time change. They start checking in at 12 noon UTC whether it's January or July. That could put the focus back on Russia (or, like... Brazil? Africa? ...though those seem much less likely).
@WPalant Would those timestamps have been set on a system controlled by Lasse, or a system controlled by Jia?
In theory, if it was a system controlled by Jia, they could've set the system time, not just the timezone, however they'd like. It would've been inconvenient, especially if they were in an organization with Kerberos-based authentication, but doable.
@WPalant Looking at @rvstaveren's scatter plot, it seems like the pre-12-noon-UTC commits didn't start happening until August 2023 or thereabouts, and even after that there were only a handful. Your "morning meetings" hypothesis does seem plausible, though.
Somebody pointed out that Russia and Belarus don't use DST, so if there is a DST effect it might rule those countries out.
@WPalant Thanks, that's great!
@[email protected] Here's the graph I saw that made me think that -0300 makes more sense than +0300:
rvstaveren (@[email protected])
Attached: 1 image @[email protected] From birchb0y on Twitter: https://twitter.com/birchb0y/status/1773871381890924872 “Interesting note on the #xz backdoor: If you plot Jai Tan's commit history over time, the cluster of offending commits occurs at an unusual time compared to rest of their activity. If the dev was pwned, it could be a sign that the threat actor contributed in their own timezone” other than that, still smoke and mirrors to me. idk